HIPAA applies to therapists when the therapist is a HIPAA Covered Entity as a healthcare provider that transmits health information in electronic form in connection with a HIPAA standard transaction, or when the therapist is part of an organization that is a HIPAA Covered Entity, and HIPAA can also apply to therapists and counseling practices through business associate relationships when they handle protected health information on behalf of another covered entity.
Many therapists qualify as covered healthcare providers because they submit electronic claims, eligibility inquiries, referral authorizations, or other electronic transactions covered by the HIPAA Administrative Simplification standards. A therapist who only accepts self-pay and does not conduct covered electronic transactions may fall outside HIPAA as a matter of regulatory scope, but other federal and state confidentiality laws and professional standards can still apply. A therapist within a hospital, clinic, community mental health center, or group practice is typically within HIPAA scope when the organization meets the covered entity definition.
When HIPAA applies, the therapist must comply with the HIPAA Privacy Rule for uses and disclosures of protected health information, the HIPAA Security Rule for electronic protected health information, and the HIPAA Breach Notification Rule when unsecured protected health information is breached. Operational requirements include implementing appropriate policies and procedures, workforce training appropriate to role, safeguards for paper and electronic records, and processes for patient rights such as access and amendments. The HIPAA Minimum Necessary Rule applies to many disclosures outside treatment and requires limiting information shared to the minimum necessary for the purpose.
Therapy records have additional considerations under HIPAA. Psychotherapy notes receive special protections under the HIPAA Privacy Rule and generally require an authorization for most uses and disclosures, with limited exceptions. Other mental health information in the designated record set, such as diagnoses, treatment plans, medication lists, session summaries maintained as part of the medical record, and billing documentation, remains protected health information and is subject to standard Privacy Rule permissions, restrictions, and individual access rights.
Disclosures frequently arise in practice settings. Disclosures for treatment coordination with other providers can be permitted without authorization. Disclosures to health plans for payment can be permitted, but the therapist should limit disclosures to what is necessary for payment functions and follow applicable request and verification procedures. Disclosures to family members, caregivers, or others involved in an individual’s care are permitted only under specific conditions that consider the individual’s agreement, opportunity to object, or incapacity. Disclosures required by law, disclosures to avert a serious and imminent threat, and certain public health disclosures can be permitted, but the therapist must document the basis and limit disclosures appropriately.
Business associate relationships matter for therapists because common service providers may qualify as business associates. Billing companies, practice management platforms, electronic health record vendors, cloud storage providers, telehealth platforms, and transcription services can be business associates when they create, receive, maintain, or transmit protected health information on behalf of the therapist. A written business associate agreement is required when the relationship meets the definition, and the therapist remains responsible for selecting vendors that support compliance obligations.
A therapist can determine HIPAA applicability by confirming whether the practice conducts HIPAA standard electronic transactions, identifying the covered entity or hybrid entity structure when part of a larger organization, and mapping where protected health information is created, stored, or shared across people, systems, and vendors.
The Relevant HIPAA Regulations
45 CFR 160.102 and 45 CFR 160.103 are directly relevant because they define which entities are subject to the HIPAA Administrative Simplification regulations, including when a therapist is a covered health care provider. The regulatory text states in 45 CFR 160.102(a) that “the standards, requirements, and implementation specifications adopted under this subchapter apply to the following entities: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” The definition in 45 CFR 160.103 states “Covered entity means: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” This language is relevant because it ties HIPAA applicability for therapists to covered entity status and electronic transactions, not professional licensure alone.
45 CFR 164.502 and 45 CFR 164.501 are relevant because they set the baseline prohibition on uses and disclosures of protected health information and define psychotherapy notes, which are common in therapy practice and subject to additional controls. The regulatory text in 45 CFR 164.502(a) states “A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.” The definition in 45 CFR 164.501 states “Psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.” This language is relevant because it establishes that therapy records can be protected health information and that psychotherapy notes receive distinct treatment under the HIPAA Privacy Rule.
45 CFR 164.508 is relevant because it requires authorization for most uses and disclosures of psychotherapy notes even when other protected health information could be used or disclosed under other permissions. The regulatory text in 45 CFR 164.508(a)(2) states “Authorization required: psychotherapy notes. Notwithstanding any other provision of this subpart, other than transition provisions provided for in § 164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except” followed by enumerated exceptions. This language is relevant because it creates an authorization default for psychotherapy notes that affects how covered therapists manage disclosures and disclosures requested by third parties.